New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible #23231
Comments
(Sorry for not finishing the title; updated) |
cc @kbsriram @agl - if either of you can do a quick triage on if it's user error (in which case, I'll open a PR with docs) or if this is a legit issue. I tried taking a whack at fixing it, but the signature serialization is a bit .... tightly coupled with writing out a signature packet. It didn't seem clear on the right way to refactor it, so I'm going to have to give up on fixing it. |
@paultag @agl Seems like EmbeddedSignatures (0x19: Primary Key Binding Signature from RFC4880 Section 5.2.1) are not currently supported. Taking a look at the code in addSubKey() in openpgp/keys.go:
Seems like only SigTypeSubkeyBinding (0x18) is supported. I am planning to take a shot at implementing this. Any poc code or notes/docs you could share regarding this would help me get a jumpstart on this issue. |
Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed. If this is a security issue, please email security@golang.org and we will assess it and provide a fix. If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here. If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one. |
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?go version go1.9.2 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?What did you do?
When creating a signing subkey in Go, I created an
EmbeddedSignature
, but when ISerialize
, it goes missing.This strikes me as weird, since
Serialize
will output the Signature when it parses one coming in. This makes me think that it's dumping some sort of raw internal slice containing the packets it saw coming in.Is it possible to create a signing subkey in go? I don't see anyone using this field outside of validation.
What did you expect to see?
A Signature subpacket in my signature
What did you see instead?
No cross signature.
The text was updated successfully, but these errors were encountered: